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NCCIC/ICS-CERT INCIDENT ALERT 


IR-ALERT-H-l 6-043-0 1AP CYBER-ATTACK AGAINST UKRAINIAN 
CRITICAL INFRASTRUCTURE 
UPDATE A 
March 7,2016 



This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled IR-ALERT-H-l 6- 
043-01P Ukrainian Power Outage Event that was publishedFebruary 12,2016, ontheUS-CERT 
secure Portal library. 

-Begin Update A Part 1 of 2- 

On December 23, 2015, Ukrainian power companies (Oblenergos) experiencedan unprecedented 
cyber-attackcausingpoweroutages, which impacted over 225,000 customers in Ukraine. These 
attacks were conducted by remote cyber-attackers who, leveraging legitimate credentials 
obtainedvia unknownmeans, remotely operatedbreakers to disconnect power. While power has 
been restored, all the impacted Oblenergos continue to mn under constrained operations. In 
addition, three other organizations, s ome from other critical infras tructure sectors, were als o 
intruded upon but did not experience operational impacts. There have been public reports that 
indicate BlackEnergy (BE) malware was responsible for the attack. However, National 
Cybers ecurity and Communications Integration Center (NCCIC)/Industrial Control Systems 
Cyber Emergency Response Team(ICS-CERT) does nothave sufficient supporting evidenceto 
confirm the role ofBE but continues to conduct further analysis. IfBE played a role, it was most 
likely in the reconnais sance and preparatory phases, not during the actual attack. Many malware 
implants could have conducted this activity. 

This incident highlights theurgentneedfor critical infrastructure owners andoperators across all 
sectors to implement enhanced cyber measures that reducerisks fromthe following types of 
adversary techniques: 
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• Theft of legitimate user credentials to enable access masquerading as approved users, 

• Leveraging legitimate remote access pathways (VPNs), 

• The remote operation of human-machine interface (HMI) via company installed remote 
access software (suchas RDP, TeamViewer orrlogin) 

• The use ofdestructive malware suchas KillDisk to disable industrialcontrolsystems (ICSs) 
and corporatenetworksystems 

• Firmware overwrites that dis able/destroy field equipment 

• Unauthorized scheduled dis connects ofuninterruptable power supplies (UPS) to devices to 
deny theft availability 

• The delivery ofmalware via spear-phishing emails and the use of malicious Microsoft Office 
attachments 

• Use ofTelephone Denial of Service (TDoS)to dis mpt operations and restoration. 

This report is being shared for situational awareness and network defense purposes. ICS-CERT 
strongly encourages organizations across allsectors toreviewand employthe mitigation 
strategies and detection mechanisms contained within this report. 

DETAILS 

An interagency teamcomposedofrepresentatives fromtheNCCIC/ICS-CERT, U.S. Computer 
Emergency Readiness Team(US-CERT), Department ofEnergy, FederalBureau of 
Investigation, and the North American Electric Rehab ility Corporationtraveledto Ukraine to 
collaborate and gain more insight. The Ukrainian government workedclosely and openly with 
the U.S. teamand shared info lmation to help preventfuture cyber-attacks. 

The following account of events is based onthe interagency team’s interviews with operations 
and information technology staff and leadership at six Ukrainian organizations with first-hand 
experience of the event. The team was not able to independently review technical evidence of the 
cyber-attack; however, a significantnumber ofindependent reports fromthe team’s interviews, 
as well as documentary findings, coito borate the events as outlinedbelow. 

Through interviews with impacted entities, theteamleamed thatpower outages Ukraine 
experienced on December 23,2015, were causedby remote cyber-attacks at threeregional 
electric power dis tribution companies (Oblenergos), impacting approximately 225,000 
customers. While power has beenrestored, all the impacted Oblenergos continue to mn under 
constrained operations. In addition, three other organizations, some fromother critical 
infrastructure sectors, were also intruded upon but did not experience operational impacts. 
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The teamassesses that theattacks against the Oblenergos demonstrated some Tactics, 
Techniques, andProcedures (TTPs) that, while previously known, have not been previously 
observed in an actual cyber-attack. The cyber-attacks were reportedly synchronized and 
coordinated, probably following extensive reconnaissance of the victimnetworks. 

After gaining a foothold in the victimnetworks, attackers acquired legitimate credentials and 
leveraged valid remote access pathways to conduct their attack. The physical impact events of 
the cyber-attacks launched within 30 minutes ofeach other, impacting multiple central and 
regional facilities. Over 50 regional substations experiencedmalicious remote operation of their 
breakers conductedby multiple external humans. This was done using either existing remote 
administrationtools at theoperating systemlevel or remote ICS client software via virtual 
private network (VPN) connections. 

All three impacted companies indicated thatthe actors wipedsome systems by executing the 
KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected 
files on target systems and corrupts the masterboot record, rendering systems inoperable. It was 
further reported that in at least one instance, Windows-based HMIs embedded in remote terminal 
units were also overwritten with KillD isk. The actors also rendered Serial-to-Ethernet devices at 
substations inoperable by conupting theft firmware. In addition, the actors interruptedpowerto 
some data centers through s eh eduledpower outages on server UPS via the remote management 
interface. The teamassesses that these actions were done in an attemptto interfere with expected 
restoration efforts. 


Initial intrus ion appears to havebeenthroughmalware, which was deliveredvia spear-phishing 
emails with malicious Microsoft Office attachments. While it has not been co nf irmed with 
technical artifacts, it is probable that the two events are related. While the cyber-attack has been 
widely attributed to BE in the open press, any remote access trojan could havebeenused in these 
attacks, andnoneofBE’s unique capabilities were leveraged. At this time, no definitive linkcan 
be drawn between the outage andthepresence ofthe BEmalware, however analysis is ongoing. 

TACTICS, TECHNIQUES, AND PROCEDURES (TTP) 

According to reports and reviewed artifacts, theprimary access pathway was theuse of 
legitimate remote acces s pathways such as VPN to acces s local systems. ThelCSs were accessed 
with theuse of compromised legitimate credentials or accounts that the adversaries created in 
company networks. The exact nature ofthe credential harvesting remains unknown. It is likely 
that the credentials were obtained we 11 ahead ofthe December 23,2015, event. 
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Most breakers were tripped whenremote human operators accessed the dispatcher workstations 
and remotely took control of the terminals using legitimately installedremote access tools. The 
functionality ofthesetools were similarto Remote Desktop Protocol (RDP) and RAdmin. Local 
operators were lockedout oftheirown workstations, disabling keyboard and mouse control. 
However, they could observe attacker actions ontheir screens. 

Some ofthe breakers were tripped whenremote human attackers remotely commandedthemto 
open via a properly configured Distribution Management Sy stem(DMS) client application 
sending commands directly to the DMS server via the VPN. 

In multiple cases, the attackers changed passwords for key systems. This resulted in legitimate 
users being unable to access the systems during the recovery process. 

Nearthe conclusion ofthe attack, theattackers corrupted the firmware of some ofthe serial-to- 
Ethemet converters employed for substation communications andsome network routers. The 
firmware overwrite was neither recoverable in the field or by the manufacturer necessitating the 
replacement ofthe device. Impacted devices were the Moxa UC 7408-LX-Plus and the IRZ- 
RUH2 3G. However, there are many devices susceptible to these types ofmalicious firmware 
corruptions. The exact mechanism of this firmware corruption is unknown; however, both 
devices allow authorized users to remotely update the firmware. It is possible that the attackers 
gained these credentials, as they gained other legitimate credentials in the system, and used them 
to push invalid firmware to the devices. 

All three companies indicated thatattackers wiped targeted systems by executing the KillDisk 
malware at the conclusion ofthe attack. The KillD isk malware erased selected files on target 
systems and corrupted themasterboot record, rendering systems inoperable. KillD isk was not 
executed against every systemin the environment; however, management, HR, finance, and ICS 
operations staff and servers were targeted. There have been unco nf irmed reports thatthe BE 
malware was used to download and launch the KillD isk malware. 


It was further reportedthat in at least one instance, a Remote Terminal Unit (RTU) product with 
anembeddedWindowsHMIcard(ABBRTU560 CMU-02 -PLC Daughter Card) was 
overwritten with KillD isk. 


In multiple cases, one ofthe first actions takenby the attackerwas to schedule an unauthorized 
power outage on supporting UPS devices. In one instance, an internal telephone communications 
server was targeted effectively cutting off all internal communications with regional offices and 
distribution substations. At a different company, 30 minutes prior to the first unauthorized 
breaker operation, the actorused the local UPS to schedule a power shutdown ofthe main 
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datacenterto occur several hours later. In addition to standard consequences ofpower loss, a 
reboot causedthe full impact ofthe KillDisk efforts to take effect. 

In onecase, aTDoSwas reported during the time ofthe attacks against a company call center. 
This TDoS impacted customer outage reporting as well as internal company coordination in 
response to the incident. 

Multiple rounds ofspearphishing stalling as early asMarch2015 and as recently as 
January 20,2016, with MS Office attachments andgenerally popular topics were observed. 
These spear-phishing emails dropped a variety of malware artifacts but primarily dropped BE 
variants. Therole and connectionbetween this spear phishing and the outage is unclear. If 
connected, it may have been a vector for initial recognizance and infoimation gathering. There 
are also reports ofthe installationofbackdoors suchas GCat, DropBear, and Kryptik. 

ICS-CERT assesses that these destructive actions (firmware overwrites, KillDisk, etc.) were 
done in an attempt to interfere with expected restoration efforts. 

MITIGATION 

It is the assessment of ICS-CERT that critical infrastructure ICS networks, across multiple 
sectors, are vulnerable to similar attacks. Asset owners should take proactive steps to prevent 
similar attacks fromimpacting their own systems. There are a number of mitigations suggested 
to address these risks, as follow: 

• Contingencyplanning for activeparticipation ofICS againstthe safe operation ofthe 
process, 

• Limiting remote access, 

• Network and credential monitoring, 

• Multifactor authentication, 

• Firmware driver signing, 

• Network architecture documentation andplanning, 

• Application Whitelisting, 

• Backdoor detection and alerting, and 

• Contingency planning for TDoS. 

Organizations should develop and exercise contingency plans that allow for the safe operation 
and/or shutdown of operationalprocesses in the event that their ICS is breached. These plans 
should include the assumption that the ICS is actively working counterto the safe operation of 


IR-ALERT-H-1 6-043-01AP 


Page 5 of17 


UNCLASSIFIED // FOR OFFICIAL USE ONLY // TLP = GREEN 









UNCLASSIFIED // FOR OFFICIAL USE ONLY // TLP = HBi 


si 



Homeland 

Security 


NCCIC 

National Cybersecurity and 
Communications Integration Center 


the process. While the Ukrainian companies did not have such a plan prepared, their experience 
with manual operation of their distribution systems allowed themto quickly recover. As US 
infrastructure is generally more reliant on automation, a comprehensive plan is neededto ensure 
safe operation or shutdown ofprocesses underthis condition. 

Organizations should isolate ICS networks fromany untrusted networks, especially the Internet. 
All unused protocol ports should be locked down and all unused services turned off. Only allow 
real-time connectivity to external networks if a defined business requirement or control function 
exists. If one-way communication can accomplish a task, use optical separation (“data diode”). If 
bidirectional communication is necessary, thenuse a single open port over a restricted network 
path. By establishing separate credentials foreach network, as wellas preventing data flow 
between the business network and the control systemnetwork, attackers are prevented from 
leveraging info nnation gained froma successful compromise of the enterprise against the control 
system Separating these networks results in attackers being prevented frompivoting through the 
generally weaker and more chaotic business network. By using different authentication systems 
on each network, attackers cannot reuse compromised credentials found on enterprise systems on 
control systemnetworks. Additional information about implementing this high-level architecture 
can be found in the ICS-CERT document “Improving Industrial Control Systems Cybersecurity 
with Defens e-in-Depth Strategies” fhttps://ics-cert.us- 

cert.gov/sites/default/files/recommended practices/Defense in Depth Qct09.pdf) . 
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Figure 1: Ideal ICS Network Configuration 

Organizations should limit remote access functionality wherever possible. Modems are 
especially insecure. Users should implement “monitoring only” access thatis enforced by data 
diodes, andnotrely on “readonly”access enforcedby software configurations orpermissions. 

Remote persistent vendor connections should notbe allowed into the control systemnetwork. 
Remote access shouldbe operator controlled, time limited, andprocedurally similar to “lockout, 
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tag out.” The same remote access paths for vendor and employee connections canbeused; 
however, double standards should notbe allowed. 

Credential monitoring should be usedto identify compromised credentials beingusedby 
unauthorized attackers. Had credential monitoring been in place during the attack, it is plausible 
that the attackers’ behavior would have been detectedwhile in the reconnaissance phase. As an 
example, in one case the attackers’ first actionwas creating new unauthorized domain accounts 
and granting themcertain privileges. Had this been monitored, it would have alerted system 
administrators weeks prior to the attack. By identifying unusual events in network traffic and/or 
credential usage, there is a significantly increasedprobability that network defenders will 
identify initial intrus ions attacks during the reconnaissance phase, prior to any damage occurring. 

When looking at network perimeter components, the modem IT architecture will have 
technologies to provide for robustremote access. These technologies often include firewalls, 
externally facing interfaces, and wireless access. Each technology will allow enhanced 
communications in and amongst affiliated networks and will often be a subsystemof a much 
largerand more complex info rmation infrastructure. However, each of these components can 
(and often do) have associated security vulnerabilities that an adversary will try to detect and 
exploit. Interconnected networks are particularly attractive to a malicious actor, because a single 
point of compromise may provide extended access due to the pre-existing trust established 
among interconnected resources. 2 

Only one ofthe six companies was following ICS-CERT’s recommendedpractices for 
monitoring industrial control systems networks. (The outlying company was not one ofthe three 
which experienced physical impacts.) Because ofthe more constrained nature of control system 
networks, and due to the limited numberofprotocols beingused, ICSs networks are generally 
easier to monitor and detect anomalous network traffic. It is recommended that administrators 
develop a tmstedprofile of their network traffic and thenuse this as a baseline to identify 
unexpected events. Of special attentionto ICS networks, traffic from IP addresses other than 
expected devices andunusual behaviors suchas events occurring during unusual times canbe of 
especially significant value. 

Requiring signed drivers and validating these signatures provides a significant layer ofprotection 
frommalicious drivers as wellas firmware overwrites as was seen in Ukraine. This technology 
prevents tampered drivers frombeing loaded on devices, and alerts to malicious activity on a 


a. NCCIC/ICS-CERT, Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies, 
https://ics-cert.us-cert.gov/sites/default/files/recommended practices/Defense in Depth OctQ9.pdf , Web site last 
accessed March 7,2016. 
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network. While implementing these measures requires participationby both the equipment 
vendor and the as set owner, users should leverage this technology where available and consider 
appropriate procurementrequirements when acquiring new equipment. 

Application Whitelisting (AWL) can detect andprevent attempted execution of malware 
uploadedby malicious actors. The static nature ofsome systems, such as database servers and 
HMI computers, make these ideal candidates to mn AWL. Operators are encouraged to work 
with their vendors to baseline andcalibrateAWLdeployments. b Alerts shouldbe established 
when applications commonly used in cyber-attacks are attempted to be loaded on any system 
Pertaining to this incident and assuming that the spear-phishing emails were the recon 
component of the attack, had AWLbeen in place when the BE, DropBear GCat, or other 
malware attempted to execute; it would havebeenstoppedby the AWL solution. Even if these 
were not detected, the KillDisk malware was executed as a separate binary and, therefore, would 
have beenprevented fromrunningby AWL limiting the damage. 

Strong multi-factorauthenticationshouldbeusedwheneverpossible, ensuring tokens are 
different categories (something you know, something you have, something you are, etc.) and 
cannotbe easily stolen together (e.g., password and soft certificate). Evidence was foundin 
Ukraine that demonstrated the weakness of single-factor authentication. While not a complete 
solution on its own, implementing multi-factor authentication, especially on externally facing 
connections, presents significant obstacles for attackers. In addition, access logs should be 
carefully monitored and appropriately alerted. Intrusion detection systems shouldbe trainedto 
recognize anomalies to normal behavior, and notify upon unusual events, such as local accounts 
being usedto access systems fromremote IP addresses. 

As in common networking environments, control systemdomains canbe subject to a myriad of 
vulnerabilities that can provide malicious actors with a “backdoor” to gain unauthorized access. 
Often, backdoors are simple shortcomings in the architecture perimeter, or embedded capabilities 
that are forgotten, unnoticed, or simply disregarded. Malicious actors will leverage any 
discovered access functionality to gain remoteaccess to a domain. Modemnetworks, especially 
thosein the control systems arena, oftenhave inherent capabilities that are deployed without 
sufficient security analysis andean provide malicious actors access through undocumented 
channels. These backdoors can be accidentally created in various places on thenetwork, but the 
networkperimeter is of greatest concern. Regular architecture reviews, passive and active 
penetrationtesting, and network traffic monitoringcan allhelp to identify these backdoors. 


b. NCCIC/ICS-CERT, Seven Steps to Effectively Defend Industrial Control Systems, https://ics-cert.us- 
cert.gov/Seven-Steps-Effectivelv-Defend-Industrial-Control-Svstems . web site last accessed March 7,2016. 
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TDoS attacks occur when perpetrators deliver a flood of telephone calls to an organization’s 
telephone systemdisruptingnormaloperations. Ukraine experienceda TDoS as part ofthe recent 
cyber-attacks, disrupting their ability to interface with their customers as well as communicate 
internally. While TDoS attacks are difficult to mitigate, organizations should be preparedonhow 
they would respond to such an event. Upstreamtelephony service providers may be able to 
provide technical controls which lessen the impacts. Consideration should be givenon how 
appropriate logging and voice recordings will be captured for forensic review. 

Accurate and detailed network documentation is critical to the mitigations above. Organizations 
must understand the network architecture of their ICS networks, including internal 
communications, ingress and egress points, and interdependencies. This documentation should 
be validated through regular administrative and technical assessments. 

ICS-CERT reminds organizations to performproper impact analysis and risk assessment prior to 
taking defensive measures. 

ICS-CERT provides a recommendedpractices section for control systems on the ICS-CERT web 
site (http://ics-cert.us-cert.govI . Several recommendedpractices are available for reading or 
download, including Improving Industrial Control Systems Cvbersecurity with Defense-in-Depth 
Strategies and Seven Steps to Effectively Defend Industrial Control Systems . 

Organizations that observe any suspected malicious activity should follow their established 
intemalprocedures andreporttheir findings to ICS-CERT for tracking and correlation against 
other incidents. 


For more information on securely working with dangerous malware, please see US-CERT 
Security Tip ST 13-003 Handling Destructive Malware at https://www.us- 
cert.gov/ncas/tips/ST 13-003 . 

DETECTION 

While the role ofBE in this incident is stillbeing evaluated, themalware was reported to be 
presenton several systems. Detection ofBEmalware shouldbe conductedusing the latest 
published YARA signature. This canbe found at: https://ics-cert.us-cert.gov/ alerts/ICS-A I CRT - 
14-281-01E . 

Additional information about using YARA signatures canbe found in the May/June2015 ICS- 
CERT Monitor available at: https://ics-cert.us-cert.gov/monitors/ICS-MM201506 . 

-End Update A Part 1 of 2- 
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Indicator 

Type 

mail.baggins.biz 

Domain 

mx01.24.7h.com 

Domain 

SRV-EXMB01.kpb.ua 

Domain 

Received: fromSRV-EXMB01.kbp.ua (10.1.1.63) bySRV- 
EXMB01.kbp.ua (10.1.1.63) 

with Microsoft SMTP Server (TLS) id 15.0.712.22 via 
MailboxTransport; Wed, 4 

Mar 2015 18:59:59 +0000 

Received: fromSRV-EXCA02.kbp.ua (10.1.1.75) by srv- 
exmb01.kbp.ua (10.1.1.63) 

with Microsoft SMTP Server (TLS) id 15.0.712.22; Wed, 4 
Mar 2015 18:59:57 +0000 

Received: from [subdomain],[domain],[tld] (X.X.X.X)by 
SRV-EXCA02.kbp.ua (10.1.1.76) 
with Microsoft SMTP Server id 15.0.712.22 viaFrontend 
Transport; Wed, 4 Mar 

2015 18:59:57 +0000 

X-IronPort-Anti-Spam-Filtered: tme 

X-IronPort-Anti-Sp am-Re s ult: 

AOCeBACIVfdU/ OP41QXOEgECAgE 

X-IPAS-Res ult: AOCeBACIVfdU/ OP41QXOEgECAgE 
X-IronPort-AV:E=Sophos;i="5.09,689,1418083200"; 
d="pps'32,48?mf32,48?exe'32,48,96?scan'32,48,96,32,96,48,2 
08,245,217";a=" 574775" 

Received: frommail.baggins.biz([xxx.xxx.xxxxxx]) by 
[subdomain],[domain],[tld] with SMTP; 

04 Mar2015 18:59:53 +0000 

Email Efeader Information 

146.0.74.7 

IP Address 

148.251.82.21 

IP Address 
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Indicator 

Type 

176.53.127.194 

IP Address 

188.40.8.72 

IP Address 

31.210.111.154 

IP Address 

41.77.136.250 

IP Address 

62.210.188.110 

IP Address 

78.108.190.20 

IP Address 

C:\Us ers \ {userj\AppData\Local\_FONTCACHE.DAT 

Malicious File location 

c :\Us ers \ {user} \ AppData\Lo c al\F ONT CACHE. DA T 

Malicious File location 

C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Start 
M enu\Programs\ Startup\fla shplayer. exe 

Malicious File location 

C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Start 

Menu\Programs\Startup\flashplayerapp.exe 

Malicious File location 

C:\Windows\System32\drivers\acpipmi.sys 

Malicious File location 

c:\windows\system32\drivers\adpu320.sys 

Malicious File location 

c:\windows\system32\drivers\adpu320.sys (BlackEnergy) 

Malicious File location 

C:\WINDOWS\Temp\Dropbear 

Malicious File location 

148.25182.21/Microsoft/Update/KS4567890.php 

Malicious URF 

188.40.8.72/17vogFG/BVZ99/rtl70v/solocVFeegF7p.php 

Malicious URF 

xxx.xxx. xxx. xxx/Micro s o ft/Up date/KS 1945777.php 

Malicious URF 

hxxp://xxx.xxx xxx. xxx/fHKfvEhleQ/rnaincraft/ders tatus .php 

Malicious URF 
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Indicator 

Type 

hxxp:// 31.210.111.154/Micro s oft/Update/KS081274.php 

Malicious URL 

hxxp ://41.77.136.250/Micros oft/Update/KS081274.php 

Malicious URL 

hxxp://xxx.xxx .xxx. xxx /Microsofl/Update/KC074913.php 

Malicious URL 

hxxp s:// 31.210.111.154/Micro s oft/Update/KS081274.php 

Malicious URL 

hxxps://xxx.xxx.xxx.xxx /Microso fi/Update/KS 1945777.php 

Malicious URL 

hxxps:// 146.0.74.7/17vogLG/BVZ99/rt 170v/s oloc WeegL7p .p 
hp 

Malicious URL 

hxxps://148.251.82.2 l/Microsoft/Update/KS4567890.php 

Malicious URL 

h»q)s://188.40.8.72/17vogLG/BVZ99/rt 170v/s oloc VI/eegL7p. 
php 

Malicious URL 

hxxps :// 31.210.111.154/Micro s oft/Update/KS081274.php 

Malicious URL 

hxxps://xxx.xxx.xxx.xxx /Microsofl/Update/KC074913.php 

Malicious URL 

hxjqDS://xxx.xxx.xxx.xxx /Microsofl/Update/KS1945777.php 

Malicious URL 

hxxp s://xxx.xxx.xxx. xxx 

/ fHKAEhleQ/ma incraft/derstatus.php 

Malicious URL 

DropBear.exe 

Malware Variant Observed 

Pnote o.exe 

Malware Variant Observed 

Pservice PPD.exe 

Malware Variant Observed 

Starter.exe 

Malware Variant Observed 

tsk.exe (PC) 

Malware Variant Observed 
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Indicator 

Type 

tsk2.exe (server) 

Malware Variant Observed 

vba_macro.exe (SHA- 

1:4C424D5C8CFEDF8D2164B9F833F7 C631F94C 5A4C) 

Malware Variant Observed 

Win32/KillDisk.NBD 

Malware Variant Observed 

Win32/Rootkit.BlackEnergy.BF trojan 

Malware Variant Observed 

Java/TrojanDropper.Agent.BB trojan 

Malware Variant Observed 


Begin Update A Part 2 of 2 


Indicator 

Type 

khelmn.exe 

File Indicator 

msupdate_6789.exe 

File Indicator 

F ]' www/feng o ffic e/tmp/tmp9067/09kh. exe 

File Indicator 

95.141.37.205 

IP Address 

/tmp/11236tmp.php 

Web shell 

/tmp/17271tmp.php 

Web shell 

/tmp/17513tmp.php 

Web shell 

/tmp/17778tmp.php 

Web shell 

/ tmp /18054tmp .php 

Web shell 

/tmp/19198shell.php 

Web shell 

/tmp/21682tmp.php 

Web shell 
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Indicator 

Type 

/tmp/21982tmp.php 

Web shell 

/tmp/27770tmp.php 

Web shell 

/tmp/28274tmp.php 

Web shell 

/tmp/2887tmp.ph 

Web shell 

/tmp/2887tmp.php 

Web shell 

/tmp/28892tmp.php 

Web shell 

/tmp/301tmp.php 

Web shell 

/tmp/32195tmp .php 

Web shell 

/tmp/8445tmp.php 

Web shell 

/tmp/9388shell 

Web shell 

/tmp/9388shell3.php 

Web shell 

/tmp/9642tmp .php 

Web shell 

/tmp/shell.php 

Web shell 

/tmp/trnp27770.php 

Web shell 

/ tmp/tmp28274.php 

Web shell 

/tmp/tmp 8454.php 

Web shell 

/ tmp/tmp9067/ reDuh.php 

Web shell 

/ tmp/tmp9067/ tml 563 .php 

Web shell 

/tmp/we ev ely .php 

Web shell 
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si 



Homeland 

Security 


NCCIC 

National Cybersecurity and 
Communications Integration Centei 


Indicator 

Type 

/tmp/weevly.php 

Web shell 

6903A0CE131CF0E1B105EC 844E846173 

MD5hash ofmalware 

hxxps :// 31.210.111.154/Micro s oft/Update/KS081274.php 

Malicious Website 

hxxps ://88.198.25.92/ fHKfvEhleQ/maincraft/derstatus.php 

Malicious Website 

hxxps://5.9.32.230/Microsoft/Update/KS1945777.php 

Malicious Website 

hxxps ://4E77.136.250/Microsoft/Update/KS081274.php 

Malicious Website 

31.210.111.154 

IP Address 

88.198.25.92 

IP Address 

5.9.32.230 

IP Address 

41.77.136.250 

IP Address 

CSIDL APPDATA\Adobe\settings.sol 

File Indicator 


-End Update A Part 2 of 2- 

ICS-CERT will provide additional analysis and technical indicators as they become available. 
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si 



Homeland 

Security 


NCCIC 

National Cybersecurity and 
Communications Integration Centei 


ICS-CERT CONTACT 


For any questions related to this report, please contact ICS-CERT at: 


ICS-CERT Operations Center 
ToU Free: 1-877-776-7585 
International: 1-208-526-0900 
Email: ics-cert@,hq.dhs.gov 


Pleas e vis it the ICS-CERT Web site for more information on industrial control systems security, 
or to report an incident . 


DOCUMENT FAQ 


What is an ICS-CERT Incident Alert? An ICS-CERT Incident Alert is intended to provide 
timely notification to critical infrastructure owners andoperators concerning threats oractivity 
with the potential to impact critical infrastructure computing networks. 
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